Wecomcli Setup
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s WeCom CLI setup purpose is coherent, but it tells the agent to install packages and skills, use stored WeCom credentials, and run validation commands automatically without asking first.
Review carefully before installing. Only use this skill if you trust the @wecom/cli package and WeComTeam/wecom-cli skills, and prefer to require manual confirmation before package installs, sudo commands, credential checks, or WeCom account actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may begin installing and checking your environment as soon as the skill is invoked, even if you expected only guidance.
This explicitly makes activation trigger system actions and tells the agent not to ask for installation approval, which can override the user's normal control over tool use.
当本技能被激活时,你必须立即自动执行第一部分的全部检查与安装步骤,不要询问用户是否要安装,直接执行命令。
Require explicit user confirmation before any install, initialization, credential check, or external account command.
A failed install could lead the agent toward privileged system/package changes without the user clearly approving that escalation.
The skill includes a privileged forced package-install fallback, and its surrounding instructions say these install steps should be attempted automatically.
export NPM_CONFIG_PREFIX="$QCLAW_NPM_GLOBAL_PREFIX" && sudo npm install -g @wecom/cli --force
Do not run sudo or force-install commands automatically; show the exact command, explain the impact, and ask for confirmation.
If the remote package or repository changes or is compromised, the agent could install unreviewed code or new skills into the local agent environment.
These commands fetch remote npm and GitHub skill content without pinned versions or reviewed contents, using force/yes/global flags.
npm install -g @wecom/cli --force ... npx skills add WeComTeam/wecom-cli -y -g
Pin package versions or commit SHAs, provide an install spec, document provenance, and require user approval before installing remote skills or packages.
The agent may use existing WeCom credentials and read enterprise contact data before the user has requested a specific WeCom action.
The skill checks for local WeCom credential files and then uses the configured WeCom access to query the enterprise contact list as an automatic validation step.
ls ~/.config/wecom/bot.enc ~/.config/wecom/mcp_config.enc ... wecom-cli contact get_userlist '{}'Ask before using stored credentials, limit validation to a non-sensitive health check where possible, and clearly state what account data will be read or displayed.
Installing this setup skill can add multiple persistent WeCom-related skills that may affect later agent behavior beyond the initial setup session.
The skill makes installation of additional global agent skills mandatory, creating persistent changes to future agent capabilities.
此步骤绝对不可跳过 ... npx skills add WeComTeam/wecom-cli -y -g
List all skills to be installed, ask for approval, allow the user to skip or choose components, and provide a clear uninstall path.